Skip to main content

MAC

CXF 2.6.2 supports MAC tokens as specified in the latest MAC Access Authentication draft. MAC tokens offer an option for clients to demonstrate they 'hold' the token secret issued to them by AccessTokenService. It is recommended that AccessTokenService endpoint issuing MAC tokens enforces a two-way TLS for an extra protection of the MAC token data returned to clients.

The following code fragment shows how a MacAccessToken utility class can be used to create MAC tokens:

import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration; 
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; 
import org.apache.cxf.rs.security.oauth2.tokens.mac.HmacAlgorithm; 
import org.apache.cxf.rs.security.oauth2.tokens.mac.MacAccessToken; 

public class CustomOAuthDataProvider implements AuthorizationCodeDataProvider { 

   public ServerAccessToken createAccessToken(AccessTokenRegistration reg) 
      throws OAuthServiceException { 

      // generate 
      ServerAccessToken token = new MacAccessToken(reg.getClient(), 
         HmacAlgorithm.HmacSHA1, 3600L); 

      // set other token fields as shown in the Bearer section 

      // persist as needed and then return 

      return token; 
   } 
   // other methods not shown 
}

One can expect the following response:

Response-Code: 200 
Content-Type: application/json 
Headers: { 
Cache-Control=[no-store], 
Pragma=[no-cache], 
Date=[Thu, 12 Apr 2012 14:36:29 GMT]
} 

Payload: 

{"access_token":"5b5c8e677413277c4bb8b740d522b378", "token_type":"mac",
"secret"="1234568", algorithm="hmac-sha-1"} 

Note that 'access_token' is the MAC key identifier, 'secret' - MAC key.

MacAccessTokenValidator has to be registered with OAuthRequestFilter for validating the incoming MAC tokens. This validator can get a reference to custom NonceVerifier with CXF possibly shipping a default implementation in the future.

The client can use CXF OAuthClientUtils to create Authorization MAC headers. All is needed is to provide references to ClientAccessToken representing the MAC token issued by AccessTokenService and HttpRequestProperties capturing the information about the current request URI:

String requestURI = "http://localhost:8080/calendar"; 
WebClient wc = WebClient.create(requestURI); 

// represents client registration 
OAuthClientUtils.Consumer consumer = getConsumer(); 
// the token issued by AccessTokenService 
ClientAccessToken token = getToken(); 

HttpRequestProperties httpProps = new HttpRequestProperties(wc, "GET"); 
String authHeader = OAuthClientUtils.createAuthorizationHeader(consumer, token, 
   httpProps); 
wc.header("Authorization", authHeader); 

Calendar calendar = wc.get(Calendar.class);

This code will result in something like:

GET /calendar HTTP/1.1 
Host: localhost 
Accept: application/xml 
Authorization: MAC id="5b5c8e677413277c4bb8b740d522b378", 
nonce="273156:di3hvdf8", 
mac="W7bdMZbv9UWOTadASIQHagZyirA=" 
ext="12345678"

where the 'ext' attribute is used to pass a timestamp value.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!